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This  report  contains  two  recommendations  addressing  areas  where  the 
Bureau  can  improve  on  separating  responsibilities  for  the  data  input,  and 
evaluating  user  access  privileges. 
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Direct  comments/inquiries  to: 
Legislative  Audit  Division 
Room  160,  State  Capitol 
PO  Box  201705 
Helena  MT  59620-1705 


Help  eliminate  fraud,  waste,  and  abuse  in  state  government.  Call  the  Fraud  Hotline  at 
1-800-222-4446  statewide  or  444-4446  in  Helena. 
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INFORMATION  SYSTEMS  AUDITS 


Information  Systems  (IS)  audits  conducted  by  the  Legislative  Audit  Division  are  designed  to 
assess  controls  in  an  IS  environment.  IS  controls  provide  assurance  over  the  accuracy,  reliability, 
and  integrity  of  the  information  processed.  From  the  audit  work,  a  determination  is  made  as  to 
whether  controls  exist  and  are  operating  as  designed.  In  performing  the  audit  work,  the  audit  staff 
uses  audit  standards  set  forth  by  the  United  States  General  Accounting  Office. 

Members  of  the  IS  audit  staff  hold  degrees  in  disciplines  appropriate  to  the  audit  process.  Areas 
of  expertise  include  business,  accounting  and  computer  science. 

IS  audits  are  performed  as  stand-alone  audits  of  IS  controls  or  in  conjunction  with  financial- 
compliance  and/or  performance  audits  conducted  by  the  office.  These  audits  are  done  under  the 
oversight  of  the  Legislative  Audit  Committee  which  is  a  bicameral  and  bipartisan  standing 
committee  of  the  Montana  Legislature.  The  committee  consists  of  six  members  of  the  Senate  and 
six  members  of  the  House  of  Representatives. 


MEMBERS  OF  THE  LEGISLATIVE  AUDIT  COMMITTEE 


Senator  John  Cobb  Representative  Dee  Brown 

Senator  Mike  Cooney  Representative  Tim  Callahan 

Senator  Jim  Elliott,  Vice  Chair  Representative  Hal  Jacobson 

Senator  John  Esp  Representative  John  Musgrove 

Senator  Dan  Harrington  Representative  Jeff  Pattison,  Chair 

Senator  Corey  Stapleton  Representative  Rick  Ripley 


LEGISLATIVE  AUDIT  DIVISION 


Scott  A.  Seacat,  Legislative  Auditor 
John  W.  Northey,  Legal  Counsel 


Deputy  Legislative  Auditors: 

Jim  Pellegrini,  Performance  Audit 

Tori  Hunthausen,  IS  Audit  &  Operations 

James  Gillett,  Financial-Compliance  Audit 


June  2004 


The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

We  conducted  an  hiformation  Systems  audit  of  the  Section  8  Housing  hiformation  System, 
Housing  Pro,  at  the  Department  of  Commerce  Housing  Assistance  Bureau.  Our  audit  focused  on 
the  Housing  Assistance  Bureau's  administration  of  the  software  in  accordance  with  applicable 
federal  guidelines  and  industry  accepted  best  practices. 

We  wish  to  express  our  appreciation  to  the  department  for  their  cooperation  and  assistance. 


Respectfiilly  submitted. 


^y^      Scott  A.  Seacat 

Legislative  Auditor 


Room  160,  StateCapitol  Building  PO  Box  201705  Helena,  MT  59620-1705 
Phone  (406)  444-3 122  FAX  (406)  444-9784  E-Mail  lad(a.state.mt.us 
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Introduction  and  Background 


Introduction 


Background 


The  Housing  Assistance  Bureau  of  the  Department  of  Commerce 
administers  the  Section  8  housing  program  using  Housing  Pro,  a 
database  appHcation  purchased  from  HAPPY  Software,  Inc.,  who 
provides  housing-related  software  solutions  to  housing  agencies  in 
all  50  states.  Section  8  housing  is  a  federally  funded  program 
providing  subsidy  payments  for  rent  and  utilities  to  landlords  and 
property  owners  on  behalf  of  low-income  individuals  and  families. 

Housing  Pro  determines  eligibility  for  the  Section  8  program  and 
calculates  subsequent  payments  based  on  income  limits,  fair  market 
rent  amounts,  and  utility  allowances.  The  U.S.  Department  of 
Housing  and  Urban  Development  (HUD)  adopts  and  publishes  fair 
market  rent  amounts,  income  limits,  and  guidelines  for  determining 
payment  standards.  The  Housing  Assistance  Bureau  annually 
develops  payment  standards  and  contracts  for  the  development  of  the 
utility  allowances.  Income  limits  determine  eligibility  for  the 
Section  8  program  based  on  family  size.  Fair  market  rent  amounts 
are  used  to  develop  payment  standards  based  on  the  size  of  the 
housing  unit.  Housing  Pro's  operation  is  dependent  upon  the 
accuracies  of  the  income  limits,  payment  standards,  and  utility 
allowances  entered  manually  into  Housing  Pro  screens. 


Objectives 


The  objectives  of  this  audit  were  to  provide  assurance  over  the 
accuracy  and  reliability  of  the  information  processed  by  the  Housing 
Pro  application  by  determining  if: 


Housing  Pro  accurately  determines  Section  8  eligibility 
and  subsequent  payment  amounts  based  on  HUD 
guidelines  and  requirements. 

Payment  standards,  income  limits,  and  utility  allowances 
must  be  accurately  entered  into  Housing  Pro  in  order  to 
ensure  compliance  with  HUD  standards.  Refer  to  Findings 
and  Recommendations  section  for  further  discussion. 


The  monthly  warrant  information  interface  to  the 
Statewide  Accounting,  Budgeting  and  Human  Resources 
System  (SABHRS)  is  complete  and  accurate. 

To  make  monthly  subsidy  payments  to  landlords  and  property 
owners,  payment  information  must  be  transmitted  from 
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Audit  Scope  and 
Methodology 


Housing  Pro  to  SABHRS,  which  creates  warrants  for  the 
State  of  Montana.  During  the  month-end  processes,  we  found 
evidence  to  confirm  completeness  and  accuracy  of  data 
transferred,  including:  a  reconciliation  process,  comparison 
of  totals,  file  transfer  logs,  SABHRS  upload  edit  reports. 

•  Housing  Pro  system  is  protected  from  common  security 
vulnerabilities. 

Data  security  depends  on  the  physical  and  logical  security 
environment  of  the  Housing  Pro  servers  that  process  the  data, 
and  the  user  privileges  for  the  Housing  Pro  application. 
Responsibility  for  physical  and  logical  security  is  contracted 
to  the  State  of  Montana's  hiformation  Technology  Services 
Division  (ITSD).  The  Housing  Pro  servers  are  physically 
located  in  the  ITSD  data  center,  and  ITSD  personnel  maintain 
adequate  security  and  ensure  timely  updates  of  all  patches  and 
updates. 

•  User  access  is  appropriate. 

Data  integrity  and  accuracy  is  dependent  upon  appropriate 
Housing  Pro  user  access  privileges.  Refer  to  Findings  and 
Recommendations  section  for  fiarther  discussion. 

The  audit  was  conducted  in  accordance  with  government  auditing 
standards  published  by  the  United  States  General  Accounting  Office 
(GAO),  and  accepted  industry  information  systems  guidelines. 


Fieldwork  included  a  review  of  general  and  application  control 
environments.  Work  in  the  application  controls  area  concentrated  on 
controls  relating  to  the  completeness  and  accuracy  of  the  Housing 
Pro  to  SABHRS  interface,  and  the  configuration  of  the  software  in 
accordance  with  HUD  guidelines  for  income  limits,  payment 
standards,  and  utility  allowances.  Work  in  the  general  controls  area 
concentrated  on  the  physical  and  logical  control  environment  for  the 
servers  housing  the  software  and  database,  and  the  appropriateness 
of  user  privileges  in  the  database  in  accordance  with  accepted 
industry  standards. 
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To  ensure  our  primary  objectives  were  met,  we  extracted  data  from 
the  database  and  verified  the  accuracy,  observed  the  month-end 
interface  to  SABHRS,  reviewed  user  access  privileges  for 
appropriateness,  and  used  reports  from  industry  accepted  security 
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scanning  software  to  check  for  vulnerabilities  on  the  House  Pro 
servers. 


Conclusion  With  the  exception  of  issues  noted  in  the  Findings  and 

Recommendations  section  of  this  report,  the  Housing  Assistance 
Bureau  administers  Housing  Pro  in  accordance  with  federal 
guidelines  and  industry  accepted  best  practices.  Issues  found  do  not 
present  a  significant  impact  on  eligibility  determination  and  payment 
amounts.  At  the  completion  of  fieldwork,  the  Section  8  Housing 
system  accurately  determined  eligibility  and  payment  amounts  for 
the  Section  8  Housing  program. 
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Findings  and  Recommendations 


Segregation  of  Duties 


At  the  most  basic  level  segregation  of  duties  is  a  key  internal  control 
that  means  no  individiial  should  have  control  over  two  or  more 
significant  phases  of  an  operation.  Adequate  segregation  of  duties 
reduces  the  likelihood  of  errors  remaining  undetected  by  providing 
separate  processing  by  different  individuals  at  various  phases  of  an 
operation  and  provides  independent  reviews  of  work  performed. 


The  Housing  Pro  software's  inability  to  electronically  load  data 
necessitates  manual  data  entry,  which  is  more  susceptible  to  human 
error.  A  considerable  amount  of  data  must  be  entered  annually  into 
Housing  Pro  screens  including  448  income  limits  and  448  payment 
standards  spanning  56  counties,  and  5,508  utility  allowances 
spanning  1 8  districts.  We  reviewed  all  data  entered  for  accuracy;  8 
of  the  18  districts  had  at  least  one  utility  allowance  error  and  1  of  the 
56  counties  had  an  income  limit  error.  Errors  identified  did  not 
significantly  impact  eligibility  determination  and  payment  amounts. 
Payment  standards  were  correct  for  all  56  counties.  Upon 
notification.  Housing  Assistance  Bureau  personnel  promptly 
corrected  data  entry  errors. 


User  Privileges 


The  Section  8  IT  Manager  is  responsible  for  entering  all  of  the  data 
relating  to  income  limits,  payment  standards,  and  utility  allowances, 
and  reviewing  the  data  entered  for  accuracy.  By  separating  the  data 
entry  fiinction  from  the  review  function  the  Housing  Assistance 
Bureau  can  better  ensure  the  accuracy  of  data  entered  by  providing 
an  independent  review.  This  can  be  done  using  current  Housing 
Assistance  Bureau  staff  and  will  not  require  additional  cost. 


Recommendation  #1 

We  recommend  that  the  Housing  Assistance  Bureau  separate 
the  data  entry  function  for  Section  8  Housing  from  the  data 
accuracy  review  function. 


Section  8  Housing  employees  perform  functions  within  Housing  Pro 
based  on  privileges  granted  through  user  privileges  screens  by  the 
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Section  8  IT  Manager.  Privileges  can  be  granted  to  individual  users 
or  groups  of  users. 

Industry  standards  state  that  IT  management  should  implement 
procedures  that  provide  access  security  control  based  on  the 
individual's  demonstrated  need  to  view,  add,  change  or  delete  data. 
Eight  users  have  all  privileges  for  the  Housing  Pro  application, 
which  is  beyond  what  is  needed  to  perform  their  day-to-day  job 
functions.  For  instance,  the  IT  Manager  is  the  only  user  responsible 
for  granting  user  privileges,  yet  all  eight  users  have  the  ability  to 
make  changes  to  privileges.  There  exists  a  possibility  that  data  or 
settings  in  the  application  could  be  changed,  whether  intentionally  or 
unintentionally,  and  have  an  adverse  effect  on  the  operation  of 
Housing  Pro.  Housing  Assistance  Bureau  management  confirmed 
they  have  not  performed  a  formal  assessment  of  necessary  privileges 
for  all  users  and  groups  to  perform  their  jobs,  consequently  no 
documentation  exists  supporting  user  access  decisions. 

The  Housing  Assistance  Bureau  currently  has  Housing  Pro's  "audit" 
feature  activated,  which  logs  changes  to  data  and  mitigates  the  risk 
presented  by  unnecessary  privileges.  Logs  are  backed  up  nightly  and 
kept  for  at  least  3  months  but  not  reviewed  unless  a  problem  is 
suspected.  Unless  the  audit  log  is  reviewed  regularly  it  is  not  an 
effective  compensating  control. 


Recommendation  #2 


We  recommend  that  the  Housing  Assistance  Bureau: 

A.  Conduct  a  formal  assessment  of  user  privileges  ensuring 
privileges  are  appropriate,  and 

B.  Document  the  assessment. 


Page  6 


Department  Response 


Page  A-1 


Page  A-2 


M-iiNTANA 

Department  of  Commerce 

HOUSING   DIVISION 

PO   BOK  200545   ♦    Helena.  Montana  59620-0545   *    htip //commerce  stale  ml  us 
Phone  406-841-2830   *    Fax  406-841-2810   *    TDD  406-841-2702 


June  8,  2004 


Mr.  Scott  A.  Seacat,  Legislative  Auditor 
Legislative  Audit  Division 
Room  1 60,  State  Capitol 
PO  BOX  20 1705 
Helena,  MT  59620-1705 


Dear  Mr.  Seacat, 


We  reviewed  recommendations  from  the  Information  Systems  Audit  (04DP-05)  of  the 
HUD  Section  8  Housing  Information  System  of  the  Montana  Department  of  Commerce 
Housing  Assistance  Bureau.  The  audit  was  very  important  and  timely,  since  the  HAPPY 
Pro  system  is  new  to  us.  We  have  been  given  a  greater  level  of  confidence  in  new  the 
system,  knowing  it  has  been  reviewed  by  an  independent  outside  source. 

Our  response  to  the  recommendations  is  as  follows: 


Recommendation  #1 

We  recommend  that  the  Housing  Assistance  Bureau  separate  the  data  entry 
function  for  Section  8  Housing  from  the  data  accuracy  review  function. 

Bureau  Response 

The  Bureau  concurs.  Entry  of  baseline  income  limits,  payment  standards,  and  utility 
allowances  which  control  rental  subsidy  calculations  is  very  important  and  interlocks 
with  a  new  HUD  initiative  to  improve  accuracy  of  participant  rent  and  income 
calculations.  Data  entry  will  be  separated  from  the  data  review.  The  Bureau  IT  Manager 
will  enter  new  baseline  data,  and  a  Program  Supervisor  will  review  it  prior  to  releasing  it 
to  system  users  for  use  in  calculating  rental  amounts. 


Recommendation  #2 

We  recommend  that  the  Housing  Assistance  Bureau: 
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A.  Conduct  a  formal   assessment  of  user  privileges   ensuring   privileges  are 
appropriate,  and 

B.  Document  the  Assessment. 

Bureau  Response 

The  Bureau  Concurs.  The  Bureau  IT  Manager  conducted  and  documented  the 
recommended  assessment  of  user  privileges.  Privileges  have  been  changed  to  match 
minimum  access  requirements  for  all  system  users  where  necessary.  The  Bureau  will 
maintain  written  records  of  privileges  granted  to  all  system  users,  and  update  on  a  regular 
basis. 


My  staflF  and  I  will  be  available  to  discuss  the  audit  and  recommendations  with  the 
Legislative  Audit  Committee  at  its  convenience. 


Sincerely," 
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